Category

Enforcement

22 July 2020

Brazilian Data Protection Law Update – Delayed Enforcement, Lack of Administrative Structure, and Market Unreadiness

(*As with all posts, this article is for informational purposes only; Sidley Austin LLP does not have offices in or practice law in Brazil; Felipe Saraiva is a former Sidley associate licensed to practice law in Brazil.)

The enactment of Law n. 13.709/2018 (the Brazilian Data Protection Law, or “LGPD”) in 2018 was followed by great enthusiasm from the general public in Brazil. Indeed, the comprehensive law has been viewed as a necessary measure for the country to join a select but growing group of nations in the systematic protection of individuals’ personal data.

Originally, the LGPD provided for a 12-month grace period for its enforcement; however, this term was subsequently extended to 24 months, as legislators understood the initial time frame wouldn’t give companies enough time to adapt. As previously analyzed in an article by these authors published on January 20, 2020, the LGPD’s provisions require a great deal of compliance effort from all organizations that are subject to the law.

In view of the current crisis caused by the spread of COVID-19, the compliance difficulties companies are facing, and the fact that the actual creation of the National Agency of Data Protection (“ANPD”) called for in the law is still pending, Brazilian legislators are further extending the LGPD’s grace period; these legislators now indicate that enforcement of the law’s general provisions are extended to May 3, 2021, while its legal sanctions would become enforceable as of August 1, 2021.

(more…)

EmailShare
02 July 2020

Privacy and Cybersecurity Roundtable: Monitor-Side Chat Series

These informal video chats, moderated by Sidley partner Alan Raul, are designed to help fill the COVID-19 induced privacy discussion drought. We look forward to hearing what is on the mind of key data protection and cybersecurity thought leaders from both public and private sectors. Each chat will be relatively brief, leaving some time to address participant questions via our virtual space. Please feel free to suggest any topics you would be interested to hear addressed by contacting dcevents@sidley.com.

(more…)

EmailShare
30 June 2020

Key Takeaways From Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission

On June 25, 2020, Sidley partner, Alan Raul, founder and co-head of Sidley’s privacy and cybersecurity practice, hosted Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, for a Monitor-Side Chat.

The discussion focused largely on the Commission’s report on two years of the GDPR which was issued on 24 June 2020. Key themes of the report include:

  • EU data protection authorities (“DPAs”) should increase their efforts towards the adoption of a harmonised approach to responding to cross-border investigations;
  • a call for greater resources to be given to DPAs by EU Member States to ensure the GDPR is sufficiently enforced;
  • a need for greater consistency among EU Member States on interpretations of the GDPR in national laws in order to avoid unnecessary burdens on companies; and
  • greater utilisation of the data portability right under the GDPR to ensure individuals have greater involvement in the digital economy by enabling them to switch between different service providers and make use of other innovative services.

(more…)

EmailShare
26 June 2020

The Return of the Mac: CCPA 2.0 Qualifies for California’s November 2020 Ballot and Could Usher In Sweeping Changes to CCPA

The California Privacy Rights Act (CPRA), a proposed initiative to codify far-reaching amendments to the California Consumer Privacy Act (CCPA) and sometimes referred to as “CCPA 2.0”, is back in play and heading to the November 2020 ballot.  A series of dramatic procedural twists and turns culminated with initiative backers successfully obtaining a writ of mandate directing the Secretary of State to direct counties to verify signatures for the ballot proposal by the June 25th Constitutional deadline.  This verification involved each county conducting a random sample of the more than 800,000 signatures that proponents had submitted to place the initiative on the ballot.

Before the California court’s ruling, observers were skeptical that signatures could be verified before the deadline.  Initiative proponents were almost two weeks behind the recommended schedule when they delivered signatures to be verified by California’s 58 counties.  This meant counties had until June 26th to verify signatures — a day after the June 25th Constitutional deadline.  Experience with other initiatives this year had shown that several large counties were waiting until the deadline to complete verifications, so proponents petitioned the court to push the deadline up by a day in order to meet the Constitutional deadline.  The court agreed to do so, finding good cause existed to force counties to complete verifications a day early.  And, as it happened, the extra time was not needed, as counties finished the count two days ahead of their initial deadline.

(more…)

EmailShare
25 June 2020

French Council of State Upholds €50m CNIL Fine against Google

On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.

(more…)

EmailShare
05 June 2020

DOJ Updates Guidance on Evaluating Corporate Compliance Programs

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (DOJ) publicized an updated version of its “Evaluation of Corporate Compliance Program” guidance. This is the third version of the document, with the DOJ having issued the guidance in 2017 (which we analyzed here) and revised it in April 2019 (which we analyzed here). This further revision is another reminder of the DOJ’s heightened focus and increasing sophistication regarding evaluating compliance programs during investigations. While the overall structure of the guidance generally remains consistent with the last version, the revisions provide additional insight into the DOJ’s expectations for corporate compliance programs. More specifically, the revisions highlight the importance of an adequately resourced and empowered compliance department, a constantly evolving compliance program based on the company’s current risk profile and relevant compliance issues, and the use of key compliance metrics to test the effectiveness of a compliance program.

(more…)

EmailShare
04 June 2020

CCPA Enforcement Date Rapidly Approaching: California Attorney General Proposes Regulations for Final Review With July 1, 2020 Less Than One Month Away

On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”).  This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019.  If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.

(more…)

EmailShare
21 May 2020

FinCEN Issues Notice on Reporting COVID-19 Criminal and Suspicious Activities, Companion Advisory on COVID-19-Related Medical Scams

On May 18, 2020, the Financial Crimes Enforcement Network (FinCEN), as part of its COVID-19-related response, issued a Notice Related to the Coronavirus Disease 2019 (COVID-19) reminding financial institutions of certain Bank Secrecy Act (BSA) obligations and pertinent information regarding reporting COVID-19-related criminal and suspicious activity (the Notice). Contemporaneously, FinCEN issued an Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19) (the Advisory).

In light of the Notice and Advisory, firms should (a) continue to comply with their BSA obligations; (b) include COVID-19 detail only when that detail relates to the reported suspicious activity; (c) review policies and procedures to notify and to provide COVID-19 information to government agencies, including verification of the requesting agency; (d) review the Advisory red flags related to medical scams; and (e) consider revising policies and procedures as appropriate.

COVID-19-related frauds are a special emphasis for law enforcement and regulatory agencies, so failing to detect and report those issues could be viewed as a significant flaw in a firm’s anti-money laundering (AML) program.

(more…)

EmailShare
05 May 2020

HHS Announces Exercise of Enforcement Discretion for Entities Engaged in COVID-19 Relief Efforts

Since COVID-19 was declared a pandemic, the U.S. Department of Health and Human Services (“HHS”) and its Office for Civil Rights (“OCR”) have taken a variety of steps to relax HIPAA restrictions particularly pertinent to the COVID-19 response.

First, as covered in an earlier posting, HHS took action to waive penalties and assure companies that it would exercise enforcement discretion with respect to the Privacy Rule’s application to telehealth services and certain limited communication activities related to COVID-19 treatment efforts. (more…)

EmailShare
04 May 2020

Stay At Home Orders May Have Killed California’s Ballot Initiative to Expand CCPA [**Update – But Californians for Consumer Privacy Say Maybe Not**]

UPDATE:  Soon after we published the post below, we learned that the sponsors of the California Privacy Rights Act (CPRA) – i.e., the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA) – intend to push forward with their attempt to get it on the ballot this year.  On May 4th, the initiative’s sponsors, the Californians for Consumer Privacy, announced on Twitter they were submitting to counties across the state.  Whether county election officials can verify the signatures in time to qualify for the November 2020 ballot remains to be seen.  While conventional wisdom is that the recommended April deadline is an important one to make, the approval process may be different this year due to the COVID-19 pandemic and how it might affect the availability of resources to approve initiatives.  We will continue to monitor this situation and provide updates on Data Matters as appropriate.    

The California Privacy Rights Act (CPRA), the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA), including by creating the California’s very own data protection authority, the nation’s first, appears to be dead–at least for this ballot season.

(more…)

EmailShare
1 2 3 26
XSLT Plugin by BMI Calculator